Thank you very much for the opportunity to come to speak with you this afternoon.
As I was preparing my comments for today, I was surprised to go over the transcripts yet again and read that both Mr. Binder and Commissioner Stoddart indicated that PIPEDA is working quite well and that the community is generally satisfied with its provisions.
One of the hats I wear is as the chair of the National Privacy Coalition. It's a loose coalition of over 100 privacy experts across the country. We facilitate and support communication on a number of issues. We also provide platforms for organizing around those issues. I think it's quite apparent that the privacy community, in any event, has some serious concerns about the ways in which PIPEDA has been protecting, or perhaps failing to protect, the privacy of Canadians over the past five years.
As early as November 2004, the Public Interest Advocacy Centre issued a report that concluded that the legislation was in fact “a sheep in wolf's clothing”. I know you're aware of the report that was issued this year by the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa that documented widespread lack of compliance on the part of the private sector. I know from my own work with the small-business community, particularly in the context of public education, that there's a widespread confusion in a large part of that community about their responsibilities under the act.
From a consumer's point of view, I fear that for all of PIPEDA's good intentions, perhaps the best way to describe it is “death by a thousand cuts.” The language in the act is vague. Many of the rights and responsibilities set out in the legislation are either poorly defined or not defined at all.
That vagueness isn't an accident. The CSA code that the act is built on is a consensus-driven document. When consumer rights and business practicalities conflicted around the table when the CSA negotiation was going on, the drafters intentionally used language that could be interpreted broadly by both sides. That makes perfect sense when you're talking about a voluntary code, but it's disastrous for legislation.
Is PIPEDA fixable? Well, yes, with some caveats. First and foremost, I think we need to recognize right up front that the act is trying to do two very different things. On the one hand, it purports to protect individual privacy rights; on the other hand, it's designed to promote electronic commerce and make private information available in the marketplace for commercial purposes.
Those two purposes aren't always reconcilable, and I think you see a number of problems arise when you look at the kinds of platforms that have been developed to support electronic commerce.
First of all, a number of the technologies that are rolling out in the e-commerce world are built to allow the invisible collection of a whole range of personal information about you, about me, about all of us.
You know, for example, that cookies can track the websites you visit. Microsoft is one of many companies that use web beacons. Web beacons are these single-pixel graphics. They're so small that they're invisible, and you can pop them on a web page or stick them in an email. They're used there because the companies want to be able to track what you do when they email you. This little beacon will let them see if you, if I—
If I'm on MSN and am doing instant messaging—I'm registered there, and they know who I am—they pop one of these little web beacons into the emails they send me. They can then check and see what Val's up to. Did she read our email? Did she click on any of the links? They also have an arrangement whereby they have web beacons imbedded in the websites of their advertisers to see whether Val goes over to one of the sites and buys one of the products they were advertising.
It's not only me they're watching—I'm rather boring. It's particularly important to realize that over half of Canadian kids between the ages of nine and seventeen instant-message on a daily basis; that's over 50%. An additional 20% instant-message at least every other day.
They can put a camera in a store, for example, to track eye movement. If I go into a store wanting to buy a pair of jeans for one of my kids and happen to notice a red sweater over in the corner and keep checking it out, the camera is set up to collect all that information about me. This can alert the store manager, so that the store manager can send over a clerk to close the deal on the red sweater that I did not come in to buy.
I understand you've been talking a bit about RFID tags. RFID tags are increasingly being implemented or deployed throughout the electronic marketplace. These are the promiscuous little devices that are attached to the products we buy. They're designed to do one thing: to tell whoever asks them who they are and where they are. If any RFID reader asks, they're promiscuous, and they'll say “Here I am, I'm right over here.”
I've tried, and it's very hard to tell if these things are actually attached to the products I buy, but it's virtually impossible to tell if they're turned off when I leave the store. Now, as an individual consumer, I'm not just worried about the information I'm dropping as I go through the electronic marketplace; I have to worry about the fact that my things are leaking information about me as well.
When you think about the information flows in this environment, people who shop this way, people who participate in electronic commerce are automatically—not by choice, but automatically—disclosing personal information just by using a free instant messaging service, buying some razor blades, or walking in front of a store's cameras. Since that collection of information is invisible, is seamless, it's really difficult for me to even realize it's there, much less to contest it.
Secondly, the environment is set up so that a lot of the information collected about individuals and used for commercial purposes is actually disclosed for non-commercial purposes. We're just going through our daily lives. We could be playing, we could be chatting with friends, we could be surfing the net, or we could be walking through stores and looking at red sweaters for fun. I'm not necessarily asking a company to enter into a transaction with me when this information is collected. In fact, the company is watching me as I go about my private life and is collecting information about me for its own purposes. I'd like to give you a couple of examples, so that you can see how this plays out in the information marketplace.
Neopets is one of the most popular e-commerce sites with Canadian kids aged nine to thirteen. Like almost all the top fifty sites that Canadian kids hang out on, they're encouraged to register. That means they are asked to provide their real name, their e-mail, their age, their gender, and some form of location information, whether it's a real-world address or a postal code. When kids go on this site, it looks like a playground, but it's actually a market research firm. The kids get there and they want to play, and they have an opportunity to create this virtual pet, a Neopet. In order to keep their Neopet alive, they have to buy food for it. There were a number of complaints, so they now have a Neopet food bank so they don't starve, as they used to in earlier years.